feat: add laceworksubmodule

.github/workflows/examples.yaml → .github/workflows/examples-complete.yaml

@@ -1,4 +1,4 @@
-name: Deploy Module Examples
+name: Deploy Module Examples - Complete
 
 on:
   pull_request:
@@ -15,8 +15,4 @@ jobs:
     uses: tx-pts-dai/github-workflows/.github/workflows/[email protected]
     with:
       environment: examples
-      tf_backend_configs: |
-        bucket=tf-state-911453050078
-        key=examples/complete.tfstate
-        workspace_key_prefix=terraform-aws-kubernetes-platform
       tf_dir: examples/complete

.github/workflows/examples-lacework.yaml

@@ -0,0 +1,18 @@
+name: Deploy Module Examples - Lacework
+
+on:
+  pull_request:
+    paths:
+      - 'examples/lacework/**'
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  example_lacework:
+    uses: tx-pts-dai/github-workflows/.github/workflows/[email protected]
+    with:
+      environment: examples
+      tf_dir: examples/lacework

.gitignore

@@ -28,3 +28,7 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+
+# Ignore dotenv files
+.env
+.tfenv

.pre-commit-config.yaml

@@ -29,3 +29,5 @@ repos:
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: no-commit-to-branch

README.md

@@ -129,8 +129,8 @@ as described in the `.pre-commit-config.yaml` file
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_addons"></a> [addons](#input\_addons) | Map of addon configurations | `any` | <pre>{<br>  "aws_load_balancer_controller": {<br>    "enabled": true<br>  },<br>  "cert_manager": {<br>    "enabled": false<br>  },<br>  "external_dns": {<br>    "enabled": true<br>  },<br>  "external_secrets": {<br>    "enabled": true<br>  },<br>  "fargate_fluentbit": {<br>    "enabled": true<br>  },<br>  "ingress_nginx": {<br>    "enabled": false<br>  },<br>  "kube_prometheus_stack": {<br>    "enabled": false<br>  },<br>  "metrics_server": {<br>    "enabled": true<br>  }<br>}</pre> | no |
-| <a name="input_base_domain"></a> [base\_domain](#input\_base\_domain) | The base domain for the platform | `string` | `"tamedia.net"` | no |
-| <a name="input_cluster_admins"></a> [cluster\_admins](#input\_cluster\_admins) | Map of IAM roles to add as cluster admins | <pre>map(object({<br>    role_name         = string<br>    kubernetes_groups = optional(list(string))<br>  }))</pre> | <pre>{<br>  "cicd": {<br>    "role_name": "cicd-iac"<br>  },<br>  "sso": {<br>    "role_name": "aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_AWSAdministratorAccess_3cb2c900c0e65cd2"<br>  }<br>}</pre> | no |
+| <a name="input_base_domain"></a> [base\_domain](#input\_base\_domain) | The base domain for the platform | `string` | `""` | no |
+| <a name="input_cluster_admins"></a> [cluster\_admins](#input\_cluster\_admins) | Map of IAM roles to add as cluster admins | <pre>map(object({<br>    role_name         = string<br>    kubernetes_groups = optional(list(string))<br>  }))</pre> | `{}` | no |
 | <a name="input_eks"></a> [eks](#input\_eks) | Map of EKS configurations | `any` | `{}` | no |
 | <a name="input_karpenter"></a> [karpenter](#input\_karpenter) | Map of Karpenter configurations | `any` | `{}` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the platform | `string` | n/a | yes |

examples/complete/main.tf

@@ -5,6 +5,7 @@ terraform {
     bucket               = "tf-state-911453050078"
     key                  = "examples/complete.tfstate"
     workspace_key_prefix = "terraform-aws-kubernetes-platform"
+    dynamodb_table       = "terraform-lock"
     region               = "eu-central-1"
   }
 

examples/lacework/main.tf

@@ -0,0 +1,115 @@
+terraform {
+  required_version = ">= 1.3.2"
+
+  backend "s3" {
+    bucket               = "tf-state-911453050078"
+    key                  = "examples/lacework.tfstate"
+    workspace_key_prefix = "terraform-aws-kubernetes-platform"
+    dynamodb_table       = "terraform-lock"
+    region               = "eu-central-1"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.27"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.6"
+    }
+    kubectl = {
+      source  = "alekc/kubectl"
+      version = "~> 2.0"
+    }
+    lacework = {
+      source  = "lacework/lacework"
+      version = "~> 1.8"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+provider "kubernetes" {
+  host                   = module.k8s_platform.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.k8s_platform.eks.cluster_certificate_authority_data)
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    args        = ["eks", "get-token", "--cluster-name", module.k8s_platform.eks.cluster_name]
+  }
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = module.k8s_platform.eks.cluster_endpoint
+    cluster_ca_certificate = base64decode(module.k8s_platform.eks.cluster_certificate_authority_data)
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "aws"
+      args        = ["eks", "get-token", "--cluster-name", module.k8s_platform.eks.cluster_name]
+    }
+  }
+}
+
+provider "kubectl" {
+  apply_retry_count      = 5
+  host                   = module.k8s_platform.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.k8s_platform.eks.cluster_certificate_authority_data)
+  load_config_file       = false
+
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    args        = ["eks", "get-token", "--cluster-name", module.k8s_platform.eks.cluster_name]
+  }
+}
+
+data "aws_secretsmanager_secret" "lacework" {
+  name = "dai-lacework/tamedia/apiKey"
+}
+
+data "aws_secretsmanager_secret_version" "lacework" {
+  secret_id = data.aws_secretsmanager_secret.lacework.id
+}
+
+provider "lacework" {
+  account    = jsondecode(data.aws_secretsmanager_secret_version.lacework.secret_string)["account"]
+  subaccount = jsondecode(data.aws_secretsmanager_secret_version.lacework.secret_string)["subAccount"]
+  api_key    = jsondecode(data.aws_secretsmanager_secret_version.lacework.secret_string)["keyId"]
+  api_secret = jsondecode(data.aws_secretsmanager_secret_version.lacework.secret_string)["secret"]
+}
+
+module "k8s_platform" {
+  source = "../../"
+
+  name = "lacework"
+
+  tags = {
+    Environment = "sandbox"
+    GithubRepo  = "terraform-aws-kubernetes-platform"
+    GithubOrg   = "tx-pts-dai"
+  }
+
+  vpc = {
+    create = true
+    cidr   = "10.0.0.0/16"
+  }
+
+  karpenter = {
+    subnet_cidrs = ["10.0.64.0/22", "10.0.68.0/22", "10.0.72.0/22"]
+  }
+}
+
+module "lacework" {
+  source = "../../modules/lacework"
+
+  cluster_name = module.k8s_platform.eks.cluster_name
+}

examples/lacework/outputs.tf

@@ -0,0 +1,14 @@
+output "eks" {
+  description = "eks module outputs"
+  value       = module.k8s_platform.eks
+}
+
+output "vpc" {
+  description = "vpc module outputs"
+  value       = module.k8s_platform.network
+}
+
+output "configure_kubectl" {
+  description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value       = "aws eks --region ${var.region} update-kubeconfig --name ${module.k8s_platform.eks.cluster_name} --alias ${module.k8s_platform.eks.cluster_name}"
+}

examples/lacework/variables.tf

@@ -0,0 +1,5 @@
+variable "region" {
+  description = "The region to deploy the platform"
+  type        = string
+  default     = "eu-central-1"
+}

modules/lacework/README.md

@@ -0,0 +1,59 @@
+# Lacework
+
+Deploy Lacework Agents
+
+```hcl
+module "lacework" {
+  source = "./modules/lacework"
+
+  cluster_name = module.eks.cluster_name
+}
+```
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.0.0 |
+| <a name="requirement_lacework"></a> [lacework](#requirement\_lacework) | >= 1.18.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.0.0 |
+| <a name="provider_lacework"></a> [lacework](#provider\_lacework) | >= 1.18.2 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_lacework_k8s_datacollector"></a> [lacework\_k8s\_datacollector](#module\_lacework\_k8s\_datacollector) | lacework/agent/kubernetes | 2.5.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [kubernetes_namespace_v1.lacework](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
+| [lacework_agent_access_token.kubernetes](https://registry.terraform.io/providers/lacework/lacework/latest/docs/resources/agent_access_token) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace for Lacework resources | `string` | `"lacework"` | no |
+| <a name="input_node_affinity"></a> [node\_affinity](#input\_node\_affinity) | Node affinity settings | <pre>list(object({<br>    key      = string<br>    operator = string<br>    values   = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "key": "kubernetes.io/arch",<br>    "operator": "In",<br>    "values": [<br>      "amd64",<br>      "arm64"<br>    ]<br>  },<br>  {<br>    "key": "kubernetes.io/os",<br>    "operator": "In",<br>    "values": [<br>      "linux"<br>    ]<br>  },<br>  {<br>    "key": "eks.amazonaws.com/compute-type",<br>    "operator": "NotIn",<br>    "values": [<br>      "fargate"<br>    ]<br>  }<br>]</pre> | no |
+| <a name="input_pod_priority_class_name"></a> [pod\_priority\_class\_name](#input\_pod\_priority\_class\_name) | Name of the pod priority class | `string` | `"system-node-critical"` | no |
+| <a name="input_resources"></a> [resources](#input\_resources) | Resources for the Lacework agent | <pre>object({<br>    cpu_request = string<br>    mem_request = string<br>    cpu_limit   = string<br>    mem_limit   = string<br>  })</pre> | <pre>{<br>  "cpu_limit": "1000m",<br>  "cpu_request": "100m",<br>  "mem_limit": "1024Mi",<br>  "mem_request": "256Mi"<br>}</pre> | no |
+| <a name="input_server_url"></a> [server\_url](#input\_server\_url) | Lacework server URL | `string` | `"https://api.fra.lacework.net"` | no |
+| <a name="input_tolerations"></a> [tolerations](#input\_tolerations) | Tolerations for the Lacework agent | `list(map(string))` | <pre>[<br>  {<br>    "effect": "NoSchedule",<br>    "operator": "Exists"<br>  }<br>]</pre> | no |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/lacework/main.tf

@@ -0,0 +1,32 @@
+data "aws_caller_identity" "this" {}
+
+resource "lacework_agent_access_token" "kubernetes" {
+  name        = "${var.cluster_name}-${data.aws_caller_identity.this.account_id}-kubernetes"
+  description = "For the kubernetes agent"
+}
+
+resource "kubernetes_namespace_v1" "lacework" {
+  metadata {
+    name = var.namespace
+  }
+}
+
+module "lacework_k8s_datacollector" {
+  source  = "lacework/agent/kubernetes"
+  version = "2.5.1"
+
+  namespace = kubernetes_namespace_v1.lacework.metadata[0].name
+
+  lacework_access_token = lacework_agent_access_token.kubernetes.token
+  lacework_server_url   = var.server_url
+  lacework_cluster_name = var.cluster_name
+
+  pod_cpu_request         = var.resources.cpu_request
+  pod_mem_request         = var.resources.mem_request
+  pod_cpu_limit           = var.resources.cpu_limit
+  pod_mem_limit           = var.resources.mem_limit
+  pod_priority_class_name = var.pod_priority_class_name
+
+  node_affinity = var.node_affinity
+  tolerations   = var.tolerations
+}

modules/lacework/variables.tf

@@ -0,0 +1,82 @@
+variable "server_url" {
+  description = "Lacework server URL"
+  type        = string
+  default     = "https://api.fra.lacework.net"
+}
+
+variable "namespace" {
+  description = "Namespace for Lacework resources"
+  type        = string
+  default     = "lacework"
+}
+
+variable "cluster_name" {
+  description = "Name of the cluster"
+  type        = string
+}
+
+variable "pod_priority_class_name" {
+  description = "Name of the pod priority class"
+  type        = string
+  default     = "system-node-critical"
+}
+
+variable "node_affinity" {
+  description = "Node affinity settings"
+  type = list(object({
+    key      = string
+    operator = string
+    values   = list(string)
+  }))
+  default = [
+    {
+      key      = "kubernetes.io/arch"
+      operator = "In"
+      values = [
+        "amd64",
+        "arm64"
+      ]
+    },
+    {
+      key      = "kubernetes.io/os"
+      operator = "In"
+      values = [
+        "linux"
+      ]
+    },
+    {
+      key      = "eks.amazonaws.com/compute-type"
+      operator = "NotIn"
+      values = [
+        "fargate"
+      ]
+    }
+  ]
+}
+
+variable "tolerations" {
+  description = "Tolerations for the Lacework agent"
+  type        = list(map(string))
+  default = [
+    {
+      operator = "Exists"
+      effect   = "NoSchedule"
+    }
+  ]
+}
+
+variable "resources" {
+  description = "Resources for the Lacework agent"
+  type = object({
+    cpu_request = string
+    mem_request = string
+    cpu_limit   = string
+    mem_limit   = string
+  })
+  default = {
+    cpu_request = "100m"
+    mem_request = "256Mi"
+    cpu_limit   = "1000m"
+    mem_limit   = "1024Mi"
+  }
+}

modules/lacework/versions.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.3.2"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.0.0"
+    }
+    lacework = {
+      source  = "lacework/lacework"
+      version = ">= 1.18.2"
+    }
+  }
+}